Cybersecurity Business Network submits evidence on Cyber Security and Resilience Bill

2 Feb 2026

Image credit: House of Commons

The Cybersecurity Business Network (CBN) has submitted written evidence to the Public Bill Committee on the Cyber Security and Resilience (Network and Information Systems) Bill, welcoming the Government’s ambition to strengthen the UK’s cyber resilience while recommending them to go further in several key areas.

Our written evidence has been developed through close engagement with our members and additional voices from across the cyber sector, from startups to established multinational providers, working to shape the policy to support a more secure and resilient digital economy.

Calling for a broader approach

CBN backs the Bill’s wider overall objectives, including expanding the scope of the NIS Regulations to reflect modern digital infrastructure, enhancing regulators’ powers to implement and enforce cyber resilience requirements and allowing the Secretary of State to update regulations via secondary legislation.

However, CBN warns that the Bill, as drafted, risks falling short of its potential impact if several issues are not addressed.

1. Expanding the scope to reflect real economic risk

CBN argues that the Bill’s scope remains too narrow, potentially leaving out major parts of the economy whose operations are critical to everyday life and national prosperity.

Our position calls for the adoption of a risk-based approach to determining which organisations fall in scope, based on factors such as:

Scale and systemic importance
Sensitivity and volume of data handled
Role as critical dependencies in supply chains

This should include key sectors like retail, manufacturing and financial services.

2. Aligning with existing resilience standards

Many organisations already rely on established frameworks and accreditations, such as the NCSC’s Cyber Essentials scheme, ISO 27001, and other international frameworks.

CBN recommends that the Bill explicitly reference and leverage an existing resilience standard, both to:

Raise the baseline for cyber resilience
Provide clearer, more objective benchmarks for regulators

This would also help avoid regulatory duplication, particularly where organisations are already subject to other regimes.

3. Making reporting requirements proportionate and practical

The current ‘one‑size‑fits‑all’ reporting model risks over‑burdening SMEs, especially those dealing with limited resources or major system outages during an incident.

CBN calls for:

Proportionate reporting expectations, calibrated to organisational size and function
Favouring quick, candid responses over overly legalistic incidence reports within the initial reporting window.
Better alignment of incident reporting across regulatory regimes to minimise duplication

4. Encouraging board‑level accountability

Finally, there is a need to move cyber resilience from being seen as a purely IT issue to a core element of enterprise risk management.

CBN recommends:

Making cyber resilience and reporting a board‑level responsibility for in‑scope organisations
Nominating a designated board representative for cyber security and resilience
Encouraging a top‑down culture of cyber resilience, supporting sustained investment in skills, training and infrastructure

You can read CBN’s full written evidence to the Public Bill Committee below for a detailed breakdown of our recommendations and rationale.

Written Evidence for Public Bill Committee – Cyber Security and Resilience Bill from Cybersecurity Business Network Download

If you have any questions around the Cyber Security and Resilience Bill, or are interested in our work and would like to get involved, please email secretariat@cb-network.org.